Administering Cisco VTS

Transcription

1 This chapter has the following topics: Setting up System, page 1 Modifying Login Banners, page 3 Setting Global Route Reflector, page 3 Registering the Virtual Machine Manager using GUI, page 3 Integrating Cisco VTS with Multiple Virtual Machine Managers, page 5 Backing up the Database in non HA Mode, page 13 Restoring the Database in non HA Mode, page 15 Backing up the Database in HA Mode, page 16 Restoring the Database in HA Mode, page 18 Viewing HA Status, page 20 Enabling External Authentication and Authorization, page 20 Enabling Accounting and Logging, page 21 Setting up System To set up the system: Go to Administration > System Settings. The System Settings page appears. Enter the DHCP Server IPv4 address. This can be a valid IPv4 address. Enter the DHCP Server IPv6 address. This can be a valid IPv6 address. You must ensure that the DHCP server is reachable from tenant leaves. The addresses need to be on the underlay side, not a management IP. 1

2 Setting up System Enter the AnyCast GW Mac. This is mandatory. Click? for information about the format. Choose the VTF Mode you want to use. VTF L2 mode means the Hosts in Host Inventory can have vtf-l2 as virtual switch option. The other option is VTF-VTEP mode which means the Hosts in Host Inventory can have vtf-vtep as the virtual switch option. Note For OpenStack, VTF L2 mode is supported only on OpenStack Newton. VTEP L2 If you want to use VTF as an L2 switch. None No VTF involved. Step 6 Specify the Out-of-Sync Commit behavior to control the Check Sync feature. See Synchronizing Configuration for details about the synchronizing configuration using the Config Sync feature. Choose one of the following: Choose: Accept Check sync feature in network inventory will be disabled. Reject Check sync feature in network inventory will be enabled. Step 7 Step 8 Enable / disable Device South Bound Lock Device southbound lock is enabled by default. When VTS has a redundant pair or group, it is possible for a transaction to succeed even when one or more of the redundant members are down, as long as one device is up. When the transaction comes, VTS checks the connectivity to the redundant devices and if it can not reach one of the devices, the admin state of the device will be changed to southbound-locked and the transaction configuration will only be pushed to the active devices. In order for the southbound lock feature to work, you must create a umap and provide the credentials that NSO will use, in the authgroup "vts-default". This feature currently supports the following redundant groups: VPC Pair ESI Group Static Multi-Homed devices DCI VTSR Click Submit. 2

3 Modifying Login Banners Modifying Login Banners The Login Banners page lets you modify the text that appears on the VTS login page and Home page. Go to Administration > Login Banners. The Login Banners page appears. Modify the text in the Before login Text text box, to update the text that appears on the VTS login screen. Modify the text in the After login Text text box, to update the text that appears on the Home page after you log in. Click Submit. Setting Global Route Reflector You have the option to either use an inline route reflector, or global route reflector. To set the global route reflector: Go to Administration > Route Reflector. Use the toggle switch to choose Global. Note The Spine has to be selected as route reflector under global RR so that it is available for all other devices. This should be done before you create the admin domain. Select the device. Click Save. Registering the Virtual Machine Manager using GUI You can register the VMM using the VTS GUI. You can also specify whether the VMM you register is a trusted or an untrusted VMM. Note For cluster-based deployments, you must install the plugin on each node. To do this: Go to Administration > Virtual Machine Manager. Click the Add (+) button. The Register VMM page is displayed. Enter the VMM Details: 3

4 Registering the Virtual Machine Manager using GUI Name Name of the VMM. Version Specify the version from the drop-down. Mode Whether the VMM has been registered as Trusted or Untrusted. API Endpoint Details The fields differ based on the VMM you choose. API Endpoint Details for OpenStack API Protocol:IP Address:Port VMM service endpoint's IPv4/IP6 address and port. Make sure you use the same IP address format (IPv4/IPv6) for all IP address fields. Mixed mode is not supported. Keystone Protocol:IP Address:Port Keystone protocol, IP address and port for OpenStack. Openstack Admin Project Tenant with Administrator privileges in OpenStack. This can be any tenant with Administrator privileges. Any change to this tenant name, username, and passphrase needs to be updated in Cisco VTS for Multi-VMM operations to work properly. Admin User Name admin user for the admin project in OpenStack. Admin Passphrase Password of the admin user. API Endpoint Details for vcenter. This is optional. API Protocol:IP Address:Port VMM service endpoint's IPv4/IP6 address and port. Make sure you use the same IP address format (IPv4/IPv6) for all IP address fields. Mixed mode is not supported. Datacenter The name of the datacenter for which Cisco VTS acts as the controller. Admin User Name Username of the vcenter VMM. Admin Passphrase Password of the vcenter VMM. Click Register. After the VMM is registered successfully, the Plugin sections opens up. For OpenStack: a) Select the desired radio button to specify whether you want to Install plug in with Red Hat OSP Director or not. If you select Yes, enter the following details: OSP Director IP Address OSP Director User name OSP Director Passphrase b) Click Save. The Neutron Servers section opens up. c) Click Add (+) to add a Neutron Server. The Add Neutron Server popup is displayed. d) Enter the Server IP Address and the Server User Name e) Click Save and Install Plugin. You may add more Neutron Servers using the Add (+) option, if you have multiple controllers (HA Mode). The Server Plugin Installation status shows whether the installation was a success. Note If you had opted not to use OSP Director, you will need to enter the password for the Neutron servers while adding the servers. 4

5 Uninstalling the OpenStack Plugin In case the Plugin Installation Status in the Virtual Machine Manager page shows the failure icon, you may choose to edit the VMM using the Edit option and rectify the error. Click the Server Plugin Status icon to view details of the error. For vcenter: a) Enter the following in the Plugin details section: Note If you had entered the API endpoint details, the Plugin details will get populated automatically. IP Address : Port Admin User Name Admin Passphrase To delete a VMM, select the check box corresponding to the VMM you need to delete, and click the delete (X) icon. The VMM is deleted after you click Delete in the Confirm Delete popup. Uninstalling the OpenStack Plugin To uninstall the OpenStack plugin from Neutron server: Go to Administration > Virtual Machine Manager. Select the specific VMM. Go to Neutron server plugin section, which shows list of Neutron servers on which you have installed OpenStack plugin. Check the checkbox next to the neutron server row, and click on - sign next to it. This uninstalls the plugin. Integrating Cisco VTS with Multiple Virtual Machine Managers You can integrate Cisco VTS with multiple Virtual Machine Managers while managing a single data center fabric. Note We recommend that you use an external DHCP server for your Multi VMM (MVMM) setup. Cisco VTS, which manages hardware and software overlays, registers to multiple VMMs and enables: Tenant, router and network in Cisco VTS to be provisioned via Openstack or vcenter Cisco VTS to provision the same Tenant/Router/Network across different VMMs The MVMM feature is supported on: 5

6 Integrating Cisco VTS with Multiple Virtual Machine Managers vcenter 5.5 and vcenter 6.0 Openstack Liberty and Newton VMM Registration Modes When you register a VMM with Cisco VTS, you can specify whether the VMM is a trusted VMM or an untrusted VMM. For information about registering VMMs, see Registering the Virtual Machine Manager using GUI, on page 3 Trusted VMM A trusted VMM is one where the VMM administrator initiates service creation, and this gets reflected in VTC and the fabric. From trusted VMMs, Cisco VTS learns/discovers networks and auto-creates a network object in Cisco VTS. In trusted mode: Cisco VTS registers with multiple VMMs and installs the appropriate plugins on the VMMs. Cisco VTS trusts the VMMs and accepts the tenant/network information published by VMM to Cisco VTS. VMM publishes the network information using the VTS plugin and the REST APIs exposed by Cisco VTS. Cisco VTS supports the following variants in trusted mode: Same Tenant / Disjoint Networks In this variant, Cisco VTS integrates with two or more VMMs, and Allows the VMMs to share the same tenant, but work on disjoint networks. In case two or more VMMs need to share the same tenant, the operators of the VMMs have to co-ordinate on the names before sending the network information to Cisco VTS. Cisco VTS uses the tenant name and the network name to identify the tenant and network. Allows each VMM to create its own network to attach their respective workloads. Cisco VTS admin provisions an overlay router using the VTS GUI to bring the networks together by L3 routing. Cisco VTS admin can add an external network to the overlay router created above so that the VRF corresponding to overlay router can be extended to the DCI to facilitate MPLS L3VPN or internet connectivity. Same Tenant / Same Network In this variant, Cisco VTS integrates with two or more VMMs, and Allows the VMMs to share the same tenant, and also share the same networks, in order to attach their respective workloads. In case two or more VMMs need to share the same tenant, the operators of the VMMs have to co-ordinate on the names before sending the network information to Cisco VTS. 6

7 Integrating Cisco VTS with Multiple Virtual Machine Managers Untrusted VMM An untrusted VMM is one where the VMM administrator cannot create tenant/router/network service. Instead, the Cisco VTS administrator is the one who creates these services on these VMMs. Cisco VTS rejects any service creation call from an untrusted VMM. In untrusted mode, Cisco VTS: Registers with multiple VMMs and installs its plugin on the VMMs. Does not trust the VMMs and reject the tenant/network information published by VMMs to VTS. Can publish the Tenant/Network information to the VMMs. Cisco VTS supports the following variants in the untrusted mode: Same Tenant / Disjoint Networks In this variant, Cisco VTS integrates with two or more VMMs, and Allows the VMMs to share the same tenant, but work on disjoint networks. In case Cisco VTS needs two or more VMMs to share the same tenant, VTS admin publishes the network information to the VMMs. VMMs sync the tenant information with Cisco VTS using the VTS plugin and the REST APIs exposed by VTS. Creates disjoint networks for each of the VMMs and publishes it individually to the VMMs. VTS allows each VMM to create its own network to attach their respective workloads. Cisco VTS admin provisions an overlay router using the VTS GUI to bring the networks together by L3 routing Cisco VTS admin can add an external network to the Overlay router created above so that the VRF corresponding to overlay router can be extended to DCI to facilitate MPLS L3VPN or internet connectivity Same Tenant / Same Network In this variant, VTS integrates with two or more VMMs, and Allows the VMMs to share the same tenant, and also the networks. Enables VMMs to share the same tenant. VTS admin publishes the tenant information individually to each VMM. VMM syncs the tenant information with Cisco VTS using the VTS plugin and the REST APIs exposed by Cisco VTS. Creates networks and publish it individually to the VMMs. Cisco VTS allows each VMM to attach their workloads to the networks Workflows in MVMM mode of Operation To support the above modes, Cisco VTS: Enables you to merge the private L2 networks on different VMMs to create a Multi VMM L2 network. The private L2 networks are created by the individual VMMs and the merge operation is controlled by the Cisco VTS administrator. Cisco VTS' involvement is to coalesce two or more network objects in the VTS database into one. After a successful merge operation, all the networks would be tied together by a unique L2 VNID. This means that the VLAN allocation scheme to VMM private L2 network remains intact. Even if there are workloads belonging to two different VMMs are placed on the same leaf node, there could be two different VLAN allocations, but the same VNI allocation. Traffic between 7

8 Integrating Cisco VTS with Multiple Virtual Machine Managers the two workloads will go through VXLAN encap/decap. The normal mode of VNI allocation in Cisco VTS is dynamic (per admin domain) and is assigned per private L2 network. Learns L2 networks from trusted VMMs and publishes these to other untrusted VMM under the control of VTS admin. The Cisco VTS GUI is used to create these networks and publish to untrusted VMMs. Cisco VTS can reuse the VNI that was assigned to the originating VMM and push that to the other untrusted VMMs. If there is no originating VMM (and VTS is the originator), then VNI allocation can happen freely in Cisco VTS. Creates a router that can interconnect L2 networks across multiple VMMs. Merge and Publish Operations The VTS administrator is responsible for deciding which networks need to be merged and which networks need to be published to other VMMs. Merge operation Cisco VTS learns and auto-creates an Mulit VMM L2 network by combining private L2 networks from multiple trusted VMMs. For a successful merge operation, the tenant name, network name, subnet name, subnet CIDR, and underlay multicast address must match. You can select one/multi/all tenants and networks within a source VMM, and then choose a list of VMMs within which the merge would be in effect. Both the source and destination VMMs need to be trusted. Note We recommend that you ensure that Shared Networks have unique names across all tenants and all VMMs. This is to avoid ambiguity related to network names, which you might encounter during Multi VMM merge operations. Publish operation Cisco VTS initiates the creation of an Multi VMM L2 network on untrusted/trusted VMMs. This decides which network (regardless of the source) needs to be published to a list of VMMs. The VMMs can either be trusted or untrusted. Publish operation automatically pushes tenant and network information on the target VMM. Note A merged netwrok cannot be published. To publish, you need to remove the merge definition, and the do the publish operation. 8

9 Integrating Cisco VTS with Multiple Virtual Machine Managers Important Upon publishing, Cisco VTS does not create the users for a tenant that it creates in OpenStack. To view the tenant project, user has to be assigned to the project. The OpenStack user has to attach a user to the tenant. Cisco VTS publishes networks to OpenStack as network type = vxlan. Before performing a publish operation, make sure that the plugin.ini, which is located at /etc/neutron/plugin.ini, has the following properties with network type vxlan as one of the values, for example: type_drivers = vxlan, <network_type2>, <network_type3> <network_type_n> [comma separated list of network types] tenant_network_types = vxlan, <network_type2>, <network_type3>.<network_type_n> [comma separated list of network types] Also you need to uncomment the property vni_ranges and update with suitable range values. For example: # Comma-separated list of <vni_min>:<vni_max> tuples enumerating ranges of # VXLAN VNI IDs that are available for tenant network allocation (list value) #vni_ranges = vni_ranges =10:100 To make these configuration take effect, you need to restart the neutron-server. Note In case of Openstack Newton these values are, by default, configured in plugin.ini as above. Deleting Merged Networks Individual VMMs can delete the merged networks from the VMMs as long as there is no workload attached to it. Cisco VTS will keep that network until the last VMM integrated with it deletes the network. Deleting Published Networks You cannot delete a network or subnet from VTS after a publish operation. You need to delete the publish operation before you change network or subnet from the source VMM or VTS. If you update from source VMM, the target VMM will nor get affected. If you update from the VTS GUI, the update will fail. All operations on published networks can be initiated only from the VTS GUI. If the network was published from VMM1 to VMM 2, then VMM 1 can remove the network, but the published network will still exist on VMM2. If VTS published the network to VMM2, then if VMM2 deletes the network, Cisco VTS will not allow to delete the network as long as the publish definition exists. In order to delete a published network/subnet, you have to first unpublish the network, and then perform the delete operation. To unpublish a published network you need to remove the publish definition before you delete the network. To do this go to the source VMM, view the publish definition and deselect the network which you want to unpublish. Note If there is a network which has already been published in the reverse direction, that is, from the current target to the source as per the UI, then, to unpublish it, you need to go to that target VMM, view the publish definition, and uncheck the check box for the network. 9

10 Performing Merge Operation from VMM Performing Merge Operation from VMM To initiate an merge operation from the Virtual Machine Manager page: Go to Administration > Virtual Machine Manager. Select the Source VMM and click on the Merge icon under the Multi VMM Operations column.. Merge window opens. The Source VMM is the one from which the operation is initiated. It will be selected and highlighted by default. Click the radio button corresponding to the Target VMM,. The Tenants from Source column lists the tenants that are available. You can use the + New button to add a new tenant name. To add a new tenant, enter the tenant name in the text box, and click the tick icon. Click X to delete. Note This will take effect only after the tenant is actually created. You can use the filter to view the available tenants or selected tenants. By default, it shows all tenants. You may use the select all button to select all tenants. If you use the select all option, you can set the Include Tenants that will be created in future automatically toggle switch to Yes. Select the desired tenant(s). The Networks from Source column lists the Networks available in the source VMM, for that tenant. You can use the + New button to add a new network name. To add a new network, enter the network name in the text box, and click the tick icon. Click X to delete. Note This will take effect only after the network is actually created. You can use the filter to view the available networks or selected networks. By default, it shows all networks. You may use the select all button to select all networks. If you use the select all option, you can set the Include Networks that will be created in future automatically toggle switch to Yes. This toggle switch will be set to Yes, also if you had set Include Tenants that will be created in future automatically toggle switch to Yes. Select the desired networks. Click Save. Performing Merge Operation from Tenant Go to Tenants> Tenant Management. Select the VMM from the drop down. The tenants for the VMM are displayed. Click the Merge icon under the Multi VMM Operations column for the desired tenant. Click the radio button to select the Target VMM. Select the Networks from Source to be merged. You can use the + New button to add a new network name. To add a new network, enter the network name in the text box, and click the tick icon. Click X to delete. Note This will take effect only after the network is actually created. You can use the filter to view the available networks or selected networks. By default, it shows all networks. 10

11 Performing Merge Operation from Network You may use the select all button to select all network. If you use the select all option, you can set the Include Networks that will be created in future automatically toggle switch to Yes. Step 6 Click Save. Performing Merge Operation from Network Step 6 Step 7 Go to Overlay > Network. The Overlay / Network window appears. Select the source from the Select Source drop down list. Select the tenant from the Select Tenant drop down list. Click the Merge icon for the desired network. Select the target VMM. Select the network from the Network from Source column. Click Save. Performing Publish Operation from VMM To publish from VMM Go to Administration > Virtual Machine Manager. Select the Source VMM and click the Publish icon under the Multi VMM Operations column.. The Publish window opens. The Source VMM is the one from which the operation is initiated. It will be selected and highlighted by default. Click the radio button corresponding to the Target VMM,. The Tenants from Source column lists the tenants that are available. You can use the + New button to add a new tenant name. To add a new tenant, enter the tenant name in the text box, and click the tick icon. Click X to delete. Note This will take effect only after the tenant is actually created. You can use the filter to view the available tenants or selected tenants. By default, it shows all tenants. Select the desired tenant(s). The Networks from Source column lists the Networks available in the source VMM, for that tenant. You can use the + New button to add a new network name. To add a new network, enter the network name in the text box, and click the tick icon. Click X to delete. Note This will take effect only after the network is actually created. You can use the filter to view the available networks or selected networks. By default, it shows all networks. 11

12 Performing Publish Operation from Tenant You may use the select all button to select all networks. Select the desired networks. Click Save. Performing Publish Operation from Tenant To initiate a publish operation from Tenant: Step 6 Go to Tenants> Tenant Management. Select the VMM from the drop down. The tenants for the VMM are displayed. Click the Publish icon under the Multi VMM Operations column for the desired tenant. Click the radio button to select the Target VMM. Select the Networks from Source to be merged. You can use the + New button to add a new network name. To add a new network, enter the network name in the text box, and click the tick icon. Click X to delete. Note This will take effect only after the network is actually created. You can use the filter to view the available networks or selected networks. By default, it shows all networks. Click Save. Performing Publish Operation from Network Step 6 Step 7 Go to Overlay > Network. The Overlay / Network window appears. Select the source from the Select Source drop down list. Select the tenant from the Select Tenant drop down list. Click the Publish icon for the desired network. Select the target VMM. Select the network from the Network from Source column. Click Save. 12

13 Performing Publish Operation from VTS Performing Publish Operation from VTS To publish from VTS Go to Administration > Virtual Machine Manager. Click the publish from VTS icon. The Publish window opens with the source as VTS. It is selected and highlighted by default. Click the radio button corresponding to the Target VMM,. The Tenants from Source column lists the tenants that are available. You can use the + New button to add a new tenant name. To add a new tenant, enter the tenant name in the text box, and click the tick icon. Note This will take effect only after the tenant is actually created. Click X to delete a tenant you do not want to publish from VTS. You can use the filter to view the available tenants or selected tenants. By default, it shows all tenants. Select the desired tenant(s). The Networks from Source column lists the Networks available in the source VMM, for that tenant. You can use the + New button to add a new network name. To add a new network, enter the network name in the text box, and click the tick icon. Click X to delete. Note This will take effect only after the network is actually created. You can use the filter to view the available networks or selected networks. By default, it shows all networks. You may use the select all button to select all networks. Select the desired networks. Click Save. Note After you register vcenter as a VMM, and, for the first time, perform a publish operation to publish a tenant and multiple networks to this vcenter VMM, the tenant and networks fail to get published to the VMM. The error next to the policy certificate shows an exception related to SSL handshake. Click the Retry button to get the tenant and networks published to the VMM. Backing up the Database in non HA Mode Perform the following tasks to backup the database: $ sudo su # source /etc/profile.d/ncs.sh # service nso status root@vtc-2:/opt/vts/bin# service nso status * nso.service - File for starting NCS Loaded: loaded (/opt/vts/etc/systemd/nso.service; enabled; vendor preset: enabled) Active: active (running) since Sat :51:29 UTC; 11h ago Process: 4551 ExecStop=/bin/sh -lc /opt/vts/etc/systemd/ncs stop (code=exited, status=0/success) 13

14 Backing up the Database in non HA Mode # service nso stop # service nso status admin@vtc-1:/opt/vts/log$ crm status ERROR: status: crm_mon (rc=107): Connection to cluster failed: Transport endpoint is not connected admin@vtc-1:/opt/vts/log$ service nso status * nso.service - File for starting NCS Loaded: loaded (/opt/vts/etc/systemd/nso.service; enabled; vendor preset: enabled) Active: inactive (dead) since Thu :17:09 UTC; 6s ago Process: ExecStop=/bin/sh -lc /opt/vts/etc/systemd/ncs stop (code=exited, status=0/success) Process: 9742 ExecStart=/bin/sh -lc /opt/vts/etc/systemd/ncs start (code=exited, status=0/success) Step 6 Step 7 Step 8 Process: 9739 ExecStartPre=/usr/bin/perl /opt/vts/run/nso/packages/services/aaa/external_auth_cache.pl (code=exited, status=0/success) Main PID: 9751 CGroup: /system.slice/nso.service Aug 03 21:56:52 vtc-1 ncs[9751]: - Starting to listen for WebUI TCP on :8080 Aug 03 21:56:52 vtc-1 ncs[9751]: - Starting to listen for WebUI SSL on :8888 Aug 03 21:56:55 vtc-1 systemd[1]: Started File for starting NCS # ncs-backup --install-dir /opt/nso INFO Backup /var/opt/ncs/backups/ncs @ t16:57:07.backup created successfully # service nso start # service nso status * nso.service - File for starting NCS Loaded: loaded (/opt/vts/etc/systemd/nso.service; enabled; vendor preset: enabled) Active: active (running) since Tue :04:30 UTC; 1 day 10h ago Process: 7723 ExecStop=/opt/vts/etc/systemd/ncs stop (code=exited, status=0/success) Process: 7758 ExecStart=/opt/vts/etc/systemd/ncs start (code=exited, status=0/success) Process: 7755 ExecStartPre=/usr/bin/perl /opt/vts/run/nso/packages/services/aaa/external_auth_cache.pl (code=exited, status=0/success) Main PID: 7764 (ncs.smp) CGroup: /system.slice/nso.service /opt/nso/current/lib/ncs/erts/bin/ncs.smp -K true -B -- -root /opt/nso/current/lib/ncs -progname ncs -- -home /dev/null -- -cd /opt/vts/run/nso -smp auto -p inet_gethost inet_gethost /bin/bash /opt/jre/current/bin/java -classpath opt/nso/current/java/jar/* -Dport=4569 -Djava.security.egd=file:/dev/./urandom -Dfile.encoding=UTF-8 com.ta /opt/jre/current/bin/java-bin -classpath opt/nso/current/java/jar/* -Dport=4569 -Djava.security.egd=file:/dev/./urandom -Dfile.encoding=UTF-8 com.tailf.nc `-8209 heart -pid

15 Restoring the Database in non HA Mode Restoring the Database in non HA Mode Do the following to restore the database. Step 6 Step 7 $ sudo su # source /etc/profile.d/ncs.sh # service nso stop # service nso status admin@vtc-1:/opt/vts/log$ crm status ERROR: status: crm_mon (rc=107): Connection to cluster failed: Transport endpoint is not connected admin@vtc-1:/opt/vts/log$ service nso status * nso.service - File for starting NCS Loaded: loaded (/opt/vts/etc/systemd/nso.service; enabled; vendor preset: enabled) Active: inactive (dead) since Thu :17:09 UTC; 6s ago Process: ExecStop=/bin/sh -lc /opt/vts/etc/systemd/ncs stop (code=exited, status=0/success) Process: 9742 ExecStart=/bin/sh -lc /opt/vts/etc/systemd/ncs start (code=exited, status=0/success) Process: 9739 ExecStartPre=/usr/bin/perl /opt/vts/run/nso/packages/services/aaa/external_auth_cache.pl (code=exited, status=0/success) Main PID: 9751 CGroup: /system.slice/nso.service Aug 03 21:56:52 vtc-1 ncs[9751]: - Starting to listen for WebUI TCP on :8080 Aug 03 21:56:52 vtc-1 ncs[9751]: - Starting to listen for WebUI SSL on :8888 Aug 03 21:56:55 vtc-1 systemd[1]: Started File for starting NCS # ncs-backup --install-dir /opt/nso --restore <path of the ncs-filename.backup.gz> root@vtc-1:~# ncs-backup --install-dir /opt/nso --restore /home/admin/ncs @ t18\:10\:40.backup.gz Restore /opt/vts/etc/nso from the backup (y/n)? y Restore /opt/vts/run/nso from the backup (y/n)? y INFO Restore completed successfully # service nso start # service nso status * nso.service - File for starting NCS Loaded: loaded (/opt/vts/etc/systemd/nso.service; enabled; vendor preset: enabled) Active: active (running) since Tue :04:30 UTC; 1 day 10h ago Process: 7723 ExecStop=/opt/vts/etc/systemd/ncs stop (code=exited, status=0/success) Process: 7758 ExecStart=/opt/vts/etc/systemd/ncs start (code=exited, status=0/success) Process: 7755 ExecStartPre=/usr/bin/perl /opt/vts/run/nso/packages/services/aaa/external_auth_cache.pl (code=exited, status=0/success) Main PID: 7764 (ncs.smp) CGroup: /system.slice/nso.service /opt/nso/current/lib/ncs/erts/bin/ncs.smp -K true -B -- -root /opt/nso/current/lib/ncs -progname ncs -- -home /dev/null -- -cd /opt/vts/run/nso -smp auto -p inet_gethost inet_gethost /bin/bash /opt/jre/current/bin/java -classpath opt/nso/current/java/jar/* -Dport=4569 -Djava.security.egd=file:/dev/./urandom -Dfile.encoding=UTF-8 com.ta /opt/jre/current/bin/java-bin -classpath opt/nso/current/java/jar/* -Dport=

16 Backing up the Database in HA Mode -Djava.security.egd=file:/dev/./urandom -Dfile.encoding=UTF-8 com.tailf.nc `-8209 heart -pid 7764 Backing up the Database in HA Mode Perform the following tasks to backup the database, in HA mode: Do these on the Master. $ sudo su # crm configure property maintenance-mode=true #crm status Last updated: Thu Aug 10 05:21: Last change: Thu Aug 10 05:21: by root via cibadmin on vtc-1 Stack: corosync Current DC: vtc-1 (version b0) - partition with quorum 2 nodes and 4 resources configured Online: [ vtc-1 vtc-2 ] Full list of resources: Master/Slave Set: ms_vtc_ha [vtc_ha] (unmanaged) vtc_ha (ocf::vts:vtc_ha): Master vtc-1 (unmanaged) vtc_ha (ocf::vts:vtc_ha): Slave vtc-2 (unmanaged) ClusterIP (ocf::heartbeat:ipaddr2): Started vtc-1 (unmanaged) ClusterIP2 (ocf::heartbeat:ipaddr2): Started vtc-1 (unmanaged) Step 6 Step 7 # source /etc/profile.d/ncs.sh # service nso status root@vtc-2:/opt/vts/bin# service nso status * nso.service - File for starting NCS Loaded: loaded (/opt/vts/etc/systemd/nso.service; enabled; vendor preset: enabled) Active: active (running) since Sat :51:29 UTC; 11h ago Process: 4551 ExecStop=/bin/sh -lc /opt/vts/etc/systemd/ncs stop (code=exited, status=0/success) # service nso stop # service nso status admin@vtc-1:/opt/vts/log$ crm status ERROR: status: crm_mon (rc=107): Connection to cluster failed: Transport endpoint is not connected admin@vtc-1:/opt/vts/log$ service nso status * nso.service - File for starting NCS Loaded: loaded (/opt/vts/etc/systemd/nso.service; enabled; vendor preset: enabled) Active: inactive (dead) since Thu :17:09 UTC; 6s ago Process: ExecStop=/bin/sh -lc /opt/vts/etc/systemd/ncs stop (code=exited, status=0/success) Process: 9742 ExecStart=/bin/sh -lc /opt/vts/etc/systemd/ncs start (code=exited, status=0/success) 16

17 Backing up the Database in HA Mode Step 8 Step Process: 9739 ExecStartPre=/usr/bin/perl /opt/vts/run/nso/packages/services/aaa/external_auth_cache.pl (code=exited, status=0/success) Main PID: 9751 CGroup: /system.slice/nso.service Aug 03 21:56:52 vtc-1 ncs[9751]: - Starting to listen for WebUI TCP on :8080 Aug 03 21:56:52 vtc-1 ncs[9751]: - Starting to listen for WebUI SSL on :8888 Aug 03 21:56:55 vtc-1 systemd[1]: Started File for starting NCS # ncs-backup --install-dir /opt/nso INFO Backup /var/opt/ncs/backups/ncs @ t16:57:07.backup created successfully # service nso start # service nso status * nso.service - File for starting NCS Loaded: loaded (/opt/vts/etc/systemd/nso.service; enabled; vendor preset: enabled) Active: active (running) since Tue :04:30 UTC; 1 day 10h ago Process: 7723 ExecStop=/opt/vts/etc/systemd/ncs stop (code=exited, status=0/success) Process: 7758 ExecStart=/opt/vts/etc/systemd/ncs start (code=exited, status=0/success) Process: 7755 ExecStartPre=/usr/bin/perl /opt/vts/run/nso/packages/services/aaa/external_auth_cache.pl (code=exited, status=0/success) Main PID: 7764 (ncs.smp) CGroup: /system.slice/nso.service /opt/nso/current/lib/ncs/erts/bin/ncs.smp -K true -B -- -root /opt/nso/current/lib/ncs -progname ncs -- -home /dev/null -- -cd /opt/vts/run/nso -smp auto -p inet_gethost inet_gethost /bin/bash /opt/jre/current/bin/java -classpath opt/nso/current/java/jar/* -Dport=4569 -Djava.security.egd=file:/dev/./urandom -Dfile.encoding=UTF-8 com.ta /opt/jre/current/bin/java-bin -classpath opt/nso/current/java/jar/* -Dport=4569 -Djava.security.egd=file:/dev/./urandom -Dfile.encoding=UTF-8 com.tailf.nc `-8209 heart -pid 7764 # crm configure property maintenance-mode=false #crm status Last updated: Thu Aug 10 05:26: Last change: Thu Aug 10 05:26: by root via cibadmin on vtc-1 Stack: corosync Current DC: vtc-1 (version b0) - partition with quorum 2 nodes and 4 resources configured Online: [ vtc-1 vtc-2 ] Full list of resources: Master/Slave Set: ms_vtc_ha [vtc_ha] Masters: [ vtc-1 ] Slaves: [ vtc-2 ] ClusterIP (ocf::heartbeat:ipaddr2): Started vtc-1 ClusterIP2 (ocf::heartbeat:ipaddr2): Started vtc-1 17

18 Restoring the Database in HA Mode Restoring the Database in HA Mode Do the following to restore the database in HA mode. Do these only on the Master. Note Make sure that both VTC 1 and VTC 2 passwords match with the one in the backup file. In an L3 HA setup, if VTC 1 was the master while you had taken the backup, and at a later point if you had made VTC 2 the Master, you must still do the restore on VTC1 (which was the earlier Master), after making VTC1 the current Master. $ sudo su # source /etc/profile.d/ncs.sh # crm configure property maintenance-mode=true # crm status Last updated: Thu Aug 10 05:21: Last change: Thu Aug 10 05:21: by root via cibadmin on vtc-1 Stack: corosync Current DC: vtc-1 (version b0) - partition with quorum 2 nodes and 4 resources configured Online: [ vtc-1 vtc-2 ] Full list of resources: Master/Slave Set: ms_vtc_ha [vtc_ha] (unmanaged) vtc_ha (ocf::vts:vtc_ha): Master vtc-1 (unmanaged) vtc_ha (ocf::vts:vtc_ha): Slave vtc-2 (unmanaged) ClusterIP (ocf::heartbeat:ipaddr2): Started vtc-1 (unmanaged) ClusterIP2 (ocf::heartbeat:ipaddr2): Started vtc-1 (unmanaged) Step 6 # service nso stop # service nso status admin@vtc-1:/opt/vts/log$ crm status ERROR: status: crm_mon (rc=107): Connection to cluster failed: Transport endpoint is not connected admin@vtc-1:/opt/vts/log$ service nso status * nso.service - File for starting NCS Loaded: loaded (/opt/vts/etc/systemd/nso.service; enabled; vendor preset: enabled) Active: inactive (dead) since Thu :17:09 UTC; 6s ago Process: ExecStop=/bin/sh -lc /opt/vts/etc/systemd/ncs stop (code=exited, status=0/success) Process: 9742 ExecStart=/bin/sh -lc /opt/vts/etc/systemd/ncs start (code=exited, status=0/success) Process: 9739 ExecStartPre=/usr/bin/perl /opt/vts/run/nso/packages/services/aaa/external_auth_cache.pl (code=exited, status=0/success) Main PID: 9751 CGroup: /system.slice/nso.service Aug 03 21:56:52 vtc-1 ncs[9751]: - Starting to listen for WebUI TCP on :

19 Restoring the Database in HA Mode Aug 03 21:56:52 vtc-1 ncs[9751]: - Starting to listen for WebUI SSL on :8888 Aug 03 21:56:55 vtc-1 systemd[1]: Started File for starting NCS Step 7 Step 8 Step # ncs-backup --install-dir /opt/nso --restore <path of the ncs-filename.backup.gz> root@vtc-1:~# ncs-backup --install-dir /opt/nso --restore /home/admin/ncs @ t18\:10\:40.backup.gz Restore /opt/vts/etc/nso from the backup (y/n)? y Restore /opt/vts/run/nso from the backup (y/n)? y INFO Restore completed successfully # service nso start # service nso status * nso.service - File for starting NCS Loaded: loaded (/opt/vts/etc/systemd/nso.service; enabled; vendor preset: enabled) Active: active (running) since Tue :04:30 UTC; 1 day 10h ago Process: 7723 ExecStop=/opt/vts/etc/systemd/ncs stop (code=exited, status=0/success) Process: 7758 ExecStart=/opt/vts/etc/systemd/ncs start (code=exited, status=0/success) Process: 7755 ExecStartPre=/usr/bin/perl /opt/vts/run/nso/packages/services/aaa/external_auth_cache.pl (code=exited, status=0/success) Main PID: 7764 (ncs.smp) CGroup: /system.slice/nso.service /opt/nso/current/lib/ncs/erts/bin/ncs.smp -K true -B -- -root /opt/nso/current/lib/ncs -progname ncs -- -home /dev/null -- -cd /opt/vts/run/nso -smp auto -p inet_gethost inet_gethost /bin/bash /opt/jre/current/bin/java -classpath opt/nso/current/java/jar/* -Dport=4569 -Djava.security.egd=file:/dev/./urandom -Dfile.encoding=UTF-8 com.ta /opt/jre/current/bin/java-bin -classpath opt/nso/current/java/jar/* -Dport=4569 -Djava.security.egd=file:/dev/./urandom -Dfile.encoding=UTF-8 com.tailf.nc `-8209 heart -pid 7764 # crm configure property maintenance-mode=false # crm status Last updated: Thu Aug 10 05:26: Last change: Thu Aug 10 05:26: by root via cibadmin on vtc-1 Stack: corosync Current DC: vtc-1 (version b0) - partition with quorum 2 nodes and 4 resources configured Online: [ vtc-1 vtc-2 ] Full list of resources: Master/Slave Set: ms_vtc_ha [vtc_ha] Masters: [ vtc-1 ] Slaves: [ vtc-2 ] ClusterIP (ocf::heartbeat:ipaddr2): Started vtc-1 ClusterIP2 (ocf::heartbeat:ipaddr2): Started vtc-1 19

20 Viewing HA Status Viewing HA Status The High Availability page lets you view the status of nodes part of the high availability setup. Go to Administration > High Availabiity. The table displays the following details: IP Address The IP address of the node. Role The current role. Status The current status. Enabling External Authentication and Authorization Cisco VTS allows you to integrate with a remote authentication and authorization server for user authentication and authorization. In this release, Cisco VTS supports external authentication and authorization via TACACS+ server. You can add multiple TACACS+ servers. TACACS+ server are randomly chosen for authentication from the list of configured servers. See TACACS+ documentation for installing and configuring the TACACS+ server on IPv4/IPv6 network. For a user logging into VTS to be able to authenticate via TACACS+ server, the VTS admin needs to setup the external authorization servers. A TACACS+ user has to be added to the user group and that user group has to be mapped to a VTS user role, which is the administrator and operator. To do this, you need to modify the TACACS+ configuration file and add users and groups to map with the VTS user role. The user group names that you need to use while you create users in TACACS+ server are: Administrator Operator See Setting up Remote Authentication Server, on page 21 for details. Important Notes: If the same username is present in both local (Cisco VTS) database and TACACS+, then the user will be first authenticated using local server. If the username is not present in the local database, or if local authentication fails due to a password mismatch, then the system tries to authenticate the user from the TACACS+server. Cisco VTS users and groups should be consistent across all the participating TACACS + servers. If the same username is configured in both local and TACACS+ server, you need to make sure the roles assigned are identical at both the places. We recommend that you have unique users in the local database and TACACS+ servers. 20

21 Setting up Remote Authentication Server If an AAA user is not assigned to any of the Cisco VTS groups in TACACS+ server, the user authentication will fail. AAA users, even AAA admin users, will not be able to disable AAA, but still will be able to add/delete AAA configuration. AAA username with special characters are not supported. We recommend that you use the vts-default authorization group while adding devices into network inventory. This is a system defined authorization group, available in Cisco VTS. If you are not using the vts-default authorization group, you need to ensure that you create an auth group which has AAA user added as the VTC Admin User Name. If a TACACS+ server is unavailable, then the next server is contacted for authentication and so on till all the servers are exhausted. This process is repeated thrice. If the user cannot be authenticated or authorized all the three times, then the authentication for the external user fails. Setting up Remote Authentication Server To enable remote user authentication, you must configure the system to use an external authentication server. Before you begin, review the Enabling External Authentication and Authorization, on page 20 section. Step 6 Go to Administration > Remote Authentication Settings. The Remote Authentication Settings page appears. Use the Enable Protocol toggle button to enable the desired protocol. You must add at least one server for the selected protocol. Currently only TACACS+ is supported. Click Add (+). The Configure TACACS + popup window appears. Enter the IP Address/Host Name, and the port details. Enter the secret key in the Key field. This can have 128 characters. Click Logging toggle button to enable the accounting. For more details about accounting and logging, see Setting up Accounting and Enabling Accounting and Logging. To delete a TACACS+ server, select the check box corresponding to the server, click delete (X), and then click Save. Enabling Accounting and Logging The admin can select one of the TACACS+ Server as a logging server. Audit logs are sent to that server. In addition to that server, the audit logs will also be logged to the local log file (present in Cisco VTS). On the TACACS+ server where you have enabled logging, you can find the log files at /var/log/tac_plus.acct. The Cisco VTS location where you can find the log file is /opt/vts/log/nso/vts-accounting.log. Logs are collected every 120 seconds (default setting). Logs are collected every 120 seconds(default setting) Following are the fields that can be found in the log: 21

22 Setting up Accounting Client IP Client IP from where the request was made Server IP VTS server IP User Name User who performs the transaction Message The model change in the transaction or the REST API url Date/Time The time when the change was made Application Name VTS (static value) Operation Type Derived from the change, could be CREATE, UPDATE or DELETE Status Success or Error (static value) Setting up Accounting To set up accounting, you must add one of the TACACS+ servers that are registered with Cisco VTS as the logging server. You can do this while you add the remote authorization servers. If you have already added remote authentication servers, you can select a server and edit it to make it the logging server. Note You can have only one TACACS+ server as the logging server at a time. Step 6 Step 7 Step 8 Go to Administration > Remote Authentication Settings. The Remote Authentication Settings page appears. Use the Enable Protocol toggle button to enable the desired protocol. You must add at least one configuration instance for the selected protocol. Currently only TACACS+ is supported. Click Add (+). The Configure TACACS+ popup window appears. Enter the IP Address/Host Name, and the port details. Note Cisco VTS supports IPv4 and IPv6 addresses. Enter the secret key in the Key field. This can have 128 characters. Click Logging toggle button to enable the accounting. Click Add. Click Save. The logs get saved in the local VTS server and TACACS server. In Cisco VTS, you can see all the logs in vts-accounting.log, which has details like the Username, Date/Time, Application Name, Operation Type, Status, Sever IP, Client IP address, and the exact message about the transaction. Similarly, in the TACACS server also you can see all the logs for the transactions. Logs are collected every 120 seconds(default setting), and pushed to TACACS+ accounting server(for example, tac_plus.acct) and to VTC(vts-accounting.log). The log file will be rotated once it reaches 100MB in size. The backup exists for 10 rotations, then gets deleted. 22